Merge "Fix Gentoo hardened support"

This commit is contained in:
Jenkins 2016-02-02 20:49:30 +00:00 committed by Gerrit Code Review
commit 4526cf23ec
10 changed files with 90 additions and 6 deletions

View file

@ -217,6 +217,15 @@ if [ -z "$DIB_ROOT_LABEL" ]; then
fi
fi
# xattr support cannot be relied upon with tmpfs builds
# some kernels supoprt it, some don't
if [[ -n "${GENTOO_PROFILE}" ]]; then
if [[ "${GENTOO_PROFILE}" =~ "hardened" ]]; then
echo 'disabling tmpfs for gentoo hardened build'
export DIB_NO_TMPFS=1
fi
fi
mk_build_dir
create_base
# This variable needs to be propagated into the chroot

View file

@ -5,6 +5,28 @@
},
"suse": {
"dkms_package": ""
},
"gentoo": {
"ccache_package": "dev-util/ccache",
"curl": "net-misc/curl",
"dhcp_client": "net-misc/dhcp",
"dkms_package": "",
"extlinux": "sys-boot/syslinux",
"git": "dev-vcs/git",
"grub_bios": "sys-boot/grub",
"grub-pc": "sys-boot/grub",
"ironic-python-agent": "",
"iscsi_package": "sys-block/open-iscsi",
"isc-dhcp-client": "net-misc/dhcp",
"isolinux": "",
"ncat": "net-analyzer/netcat",
"qemu-utils": "app-emulation/qemu",
"python-dev": "",
"PyYAML": "dev-python/pyyaml",
"syslinux": "sys-boot/syslinux",
"syslinux-common": "",
"tftp": "net-ftp/tftp-hpa",
"tgt": "sys-block/tgt"
}
},
"default": {

View file

@ -34,6 +34,12 @@ function show_options {
function fix_shm {
if [[ "${RUN_ONCE_SHM}" == '1' ]]; then
if [[ -L /dev/shm.orig ]]; then
rm /dev/shm.orig
fi
if [[ -d /dev/shm.orig ]]; then
rm -Rf /dev/shm.orig
fi
mv /dev/shm /dev/shm.orig
mkdir /dev/shm
mount -t tmpfs none /dev/shm
@ -53,7 +59,7 @@ function unfix_shm {
function install_gentoo_packages {
RUN_ONCE_SHM='1'
fix_shm
emerge "$@"
emerge $@
unfix_shm
}

View file

@ -1,2 +1,3 @@
cache-url
dib-run-parts
package-installs

View file

@ -0,0 +1,2 @@
export DISTRO_NAME=gentoo
export GENTOO_PROFILE=$(eselect profile show | tail -n 1)

View file

@ -1 +0,0 @@
export DISTRO_NAME=gentoo

View file

@ -0,0 +1 @@
sys-fs/dosfstools:

View file

@ -0,0 +1,39 @@
#!/bin/bash
if [[ ${DIB_DEBUG_TRACE:-0} -gt 0 ]]; then
set -x
fi
set -eu
set -o pipefail
# make sure system is in a consistant state
USE="-build" emerge -uDNv --with-bdeps=y --jobs=2 @world
USE="-build" emerge --verbose=n --depclean
USE="-build" emerge -v --usepkg=n @preserved-rebuild
# update config files
etc-update --automode -5
# clean up portage files
emerge --verbose=n --depclean
emaint all -f
eselect news read all
eclean-dist --destructive
# clean up files that may have been changed during build
shopt -s extglob
rm -Rf /tmp/!(ccache|in_target*|profiledir*)
shopt -u extglob
rm -Rf /root/.ccache/* /usr/portage/* /usr/src/* /var/cache/edb/dep/* /var/cache/genkernel/* /var/empty/* /var/run/* /var/state/* /var/tmp/* /var/cache/portage/distfiles
rm -Rf /etc/*- /etc/*.old /etc/ssh/ssh_host_* /root/.*history /root/.lesshst /root/.ssh/known_hosts /root/.viminfo /usr/share/genkernel /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz
# shrink a bit
for i in $(find /var/log -type f); do echo > $i; done
find /usr/share/man/ -mindepth 1 -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \;
# make it so we don't have to reinstall grub
if [[ -a /usr/sbin/grub2-install ]]; then
mkdir -p /tmp/grub
touch /tmp/grub/install
fi

View file

@ -7,3 +7,8 @@ set -eu
set -o pipefail
install -m 0755 -o root -g root $(dirname $0)/../bin/* /usr/local/bin
# migrate pt_pax flags to xt_pax
if [[ -a /usr/sbin/migrate-pax ]]; then
/usr/sbin/migrate-pax -m
fi

View file

@ -42,16 +42,16 @@ ELEMENT_DIR=${ELEMENT_DIR:-"${ELEMENTS_PATH}/gentoo"}
GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/13.0'}
if [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0" ]]; then
FILENAME_BASE='gentoo-stage4'
SIGNED_SOURCE_SUFFIX='cloud'
SIGNED_SOURCE_SUFFIX='minimal'
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0/no-multilib" ]]; then
FILENAME_BASE='gentoo-stage4-nomultilib'
SIGNED_SOURCE_SUFFIX='cloud-nomultilib'
SIGNED_SOURCE_SUFFIX='minimal-nomultilib'
elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64" ]]; then
FILENAME_BASE='gentoo-stage4-hardened'
SIGNED_SOURCE_SUFFIX='hardened+cloud'
SIGNED_SOURCE_SUFFIX='hardened+minimal'
elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64/no-multilib" ]]; then
FILENAME_BASE='gentoo-stage4-hardened-nomultilib'
SIGNED_SOURCE_SUFFIX='hardened+cloud-nomultilib'
SIGNED_SOURCE_SUFFIX='hardened+minimal-nomultilib'
else
echo 'invalid profile, please select from the following profiles'
echo 'default/linux/amd64/13.0'